Sûnnet Beskerming Pty. Ltd. occasionally produces small reports that are for free (gratis) distribution. The free content may cover any area that Sûnnet Beskerming operates in. Examples may include generic security advice, specific security warnings, development practices, and application tuning. The only caveat on reuse of information from this site is in accordance with the following paragraph.
Use and reuse of information from this site requires written acknowledgement of the source for printed materials, and a hyperlink to the parent Sûnnet Beskerming page for online reproduction. Content from this page can not be reused in a commercial context without negotiating an appropriate licence with the site owner. Personal and educational use is granted without additional restriction beyond an amount in accordance with the principle of "fair use". Fair judgement is encouraged from site users as to what amounts to "fair use". Please contact us if you reuse our content, so that we may be able to provide more specific advice when necessary to improve your reproduction.
Sûnnet Beskerming do not normally offer services and products direct to the consumer, with this weekly column as the primary exception. One of the primary difficulties with a weekly column is ensuring that the content being reported remains fresh and relevant, even when it may be more than a week out of date at time of publishing. To remedy this situation, and to provide more timely information for people who desire up to the minute news, Sûnnet Beskerming is announcing the establishment of a mailing list which will provide up to the minute news on emerging threats, advice on good security practices, analysis and explanation of technical news items which may have an impact on your future IT purchases, and collation and distillation of multiple news sources to provide you with a brief, accurate, non-biased synopsis of technology trends, with a focus on security. Sûnnet Beskerming do not restrict the focus of their services to only one operating system or hardware platform, which allows you an equal level of service even if you do not run the leading Operating Systems.
Having as little as a few hours warning is enough to protect your systems against rapidly emerging threats. Some of the most prolific worms and viruses in existence can infect all vulnerable systems within a matter of hours, so every second counts. This is where having Sûnnet Beskerming services helps.
As a recent example, you would have been informed of the recent network compromise which resulted in up to 40 million credit card details being compromised a full 12 hours before it was being reported in the major Information Technology news sites, and more than four days before it was being reported in the mainstream media.
Sometimes we are even faster than Google, being able to deliver timely, accurate information before any related content appears in the Google search results.
Not many people can afford to be dedicated full time to searching and identifying this information, and so tend to find out once something bad has already happened to their systems. Let Sûnnet Beskerming use their resources to bring you this information before you find it out the hard way.
Sûnnet Beskerming are offering a free trial membership period for consumer subscribers to the mailing list (Businesses have their own, similar list, with added services). For subscription information, or more information, please send an email to email@example.com.
Windows 95 Turns 10 - 29 August 2005
Ten years ago, last week, saw the introduction of one of the most influential software applications of the modern computing era (August 24, 1995). Microsoft released their Windows 95 Operating System to eager PC users, the first 32-bit Operating System for personal computer users running IBM-PC compatible systems. IBM and Apple looked on in interest, as Microsoft was finally releasing their much-hyped next generation Operating System, which would bring to the mass market many features which OS/2 (IBM), and System 7.5 (Apple) had provided to their respective users. Although not a true Operating System at that stage - it was a graphical application which rested on top of a modified MS-DOS, it was a resounding initial success.
For many years, IBM-PC compatible users had dismissed the mouse and the graphical user interface (the GUI), as merely toys, something that 'real' computer users could do without. The release of Windows 95 changed that approach, and allowed Microsoft to aggressively pursue their goals of increasing the size of the Personal Computer industry. This was spectacularly achieved with Windows 95, and the following consumer version of Windows 98. Unfortunately, a large number of the new computer owners (and users) had no in-depth knowledge of how their systems worked, preferring to remain in the position of knowing how to achieve the tasks that they needed to, ant not much more.
Even with this success, it may have laid the seeds for the persistent security problems facing Microsoft Windows users, even now. While the security of the competing consumer, and business, Operating Systems was not all that advanced, Microsoft's mass market appeal made it more susceptible to future abuses, as it fostered the introduction of a large, semi computer-literate userbase. The slow recognition of the emerging importance of the Internet was an extremely costly mistake for Microsoft. The addition of an Internet browser (Internet Explorer) was such a late inclusion that it was not present on retail copies of Microsoft Windows 95, but was on the OEM versions.
The power of the new Operating Systems gave software developers a very useful development environment, and the low level of security knowledge at the time meant that developers were not too concerned with possible abuses of their applications such as buffer overflows. In the gold rush to release software, security took a back seat, along with multi-user management (especially difficult in a single user Operating System), and the after-effects are still being felt now, as the descendants of this coding approach are being exploited in the modern networked computing environment.
Some of the sharper historical wits have highlighted a unique coincidence with the release date of Windows 95. August 24, AD 79, was the date that Mt. Vesuvius erupted, burying the cities of Pompeii and Herculaneum. Perhaps a parallel can be drawn with the effects of Windows 95 on modern computing.
In some more positive news for users of Microsoft's Internet Explorer, it has been suggested that the anti-phishing component of Internet Explorer 7 will be provided to users of Internet Explorer 6, via a plugin to the MSN Toolbar. In addition to needing Internet Explorer 6, Windows XP with Service Pack 2 installed will be needed as the underlying system. There is no news as to whether other versions of Internet Explorer, or Microsoft Windows, will have the protection made available.
The recent Zotob worm release, covered in last week's column, has already seen a number of arrests over the creation and released of it. Because of the relation to the earlier Mytob worm, authorities are confident that they have arrested the originators of that worm as well. Given the willingness of companies that have been hit with damaging worms to call for severe punishment (to hide their inability to protect their systems), and the history of the German teenager (Sven Jachsen) who released a Sasser variant, it is likely that the people currently in custody are to face some significant jail time. The arrests were carried out in Morocco and Turkey, and it is not known whether there will be any attempts to extradite the suspects to other countries to face different legal systems - although the FBI are currently indicating that they will not be seeking extradition. From the reporting surrounding the case, it appears that the teenage Moroccan was the author of the Zotob and Mytob worms, writing them for the Turk, who paid for their creation.
The FBI was involved with tracking down the suspects, and utilised technical assistance from Microsoft in finding the source of the worms. The Moroccan teenager was known online as Diabl0, an identity which was already known as the originator of the worm. Various security mailing lists were fully aware of the identity Diabl0, but not the real person behind it. It was suggested that the slipup was the result of the Turkish hacker attempting to move funds from users whose systems had been compromised, but the case is still under investigation. The tracking and identification of the suspects was achieved through electronic means only, separating it from Sven Jachsen's case, where he was identified by associates.
The popular open-source media player, mplayer, has recently been found to be vulnerable to a memory overflow attack which can result in the execution of code of choice by remote attackers any time that a specially crafted audio or video file is opened. The existence of mplayer has been a boon for a lot of Linux users, who have otherwise been at a loss for being able to replay audio and video without booting into another OS. All versions prior to 1.0pre7try2 are vulnerable, and the recommendation is to upgrade to this version. While it is not known whether it is being actively exploited, it could become the basis for a worm that would spread through Linux based systems (one of few possible chances).
With similar news circulating for a while now, another set of weaknesses has been found in the various in-room electronic services provided in many hotels around the world. While most of the vulnerabilities that have been disclosed to date are the result of an incorrect installation and setup, the most concerning reports suggest that the core services are vulnerable to various active and passive attacks, including capture of all traffic crossing the network (i.e. view other hotel clients' mail and websurfing), and insertion of content of choice (i.e. reprogram all television channels to show the adult PPV movie, which has also had payment restrictions bypassed). When traveling and staying in a hotel which offers these sort of facilities, it is important to apply the same sort of caution to your online activities, as you would in an Internet cafe. Essentially, any network connection made from such an environment should not be considered a trusted connection, and you should apply your own internal checks and balances to ensure against compromise.
Were You Caught Out? - 22 August 2005
It didn't take long for the worms and exploits to begin circulating following Microsoft's monthly security patch release. One of the earliest vulnerabilities to be exploited was the Plug and Play vulnerability in Windows 2000, which was patched with MS05-039. By the weekend following the patch release (i.e. last weekend), early versions of a worm called Zotob were circulating. Bearing a strong naming similarity with the Mytob family of worms, analysis suggests that Zotob is a Mytob derivative, replacing the Mydoom code with code specific to the Plug and Play vulnerability. Rapid evolution has already seen the original Zotob worm pick up a mass emailing component, which provided it with two infection vectors, through email and through the Windows 2000 Plug and Play vulnerability. The email infection vector allows it to target all versions of Windows from Windows 98, onwards, which were otherwise invulnerable to the Plug and Play issue.
Zotob creates an IRC connection on the compromised system, effectively turning the computer into a remote-controlled 'bot', part of a hacker's network. Users might find that they are unable to view webpages, as they are being redirected to the local loopback address (127.0.0.1), and access to sites such as eBay, PayPal, Amazon, Anti-Virus vendors, and Microsoft Update might be blocked.
By mid last week, Zobot had also seen the arrival of a number of competing worms, including IRC bots (IRCBot-ES), which have a much easier infection mechanism once a network has been compromised.
Microsoft's patch for the Print Spooler vulnerability, a part of the recent security patch release, appears to have re-activated the service on machines that it has previously been disabled on. A number of reports from end users indicates that the spoolsv.exe file is trying to contact systems other than the one it is hosted on, and that this behaviour occurs following the application of the Microsoft patch.
Following the initial rush of blood, and claims that the sky was falling, which accompanied the release of Microsoft's security patches, it appears that the panic level has returned to normal, with the Zotob worm appearing to have infected the majority of naturally vulnerable Windows 2000 hosts, and no apparent forthcoming worms for the remaining vulnerabilities. Detailed exploit code has been distributed for a number of the other vulnerabilities, with Internet Explorer's vulnerabilities drawing special attention. In addition, other product suppliers are beginning to find that they are also vulnerable. A range of Cisco products which are based on the Windows Operating System have been announced to be vulnerable to at least a Denial of Service as a result of the current crop of worms. Operators of Cisco equipment should contact Cisco to ensure that the products being used are suitably protected.
Even though the infection rate appears to be stabilising, a number of companies have disclosed that they were compromised by the worms. This list includes Daimler-Chrysler and General Motors (Holden), where multiple plant infections cost tens of millions of dollars worth of lost productivity just within the vehicle manufacturers. At least a hundred million dollars worth of lost productivity would have resulted as these major manufacturers would have been unable to properly handle deliveries and incoming products from external suppliers. Media agencies such as the American networks ABC and CNN were also affected, with newspapers The New York Times, and The Financial Times also falling victim to infections. Other reports suggest that Disney, AMEX, Cingular, AOL, GE, Caterpillar, and UPS were also affected. Numerous other companies will have also been affected and would have lost significant productivity due to their internal Information Technology system downtime. Even more worryingly is the inappropriate action being taken by system administrators in their efforts to either mitigate or clean up the effects of the worms. Some organisations withheld the clean up process for 24 hours after the infections took hold, while others ignored the significant public reporting before recommending inappropriate actions (such as no Internet usage, when the primary worms spread independent of websites visited) prior to attempting mitigation procedures, three days after the initial mass infections.
Although IT is generally regarded as a cost centre for businesses, it is worms like this which can drive home the point that IT has become an essential part of most modern businesses. Again, Windows users are extremely lucky that the worm developers were generally incompetent in their development of this worm. In their rush to release first, the Turkish hackers who created Zotob took a number of shortcuts. If Zotob, and the related worms, had a more robust means of determining the next set of targets (it only infects the local subnet), then it could have spread much faster. If it had a properly developed payload, it would not have forced Windows 2000 machines to continually reboot, instead it would have destroyed data, or sent it out to the remote hackers. There was some evidence that they were monitoring the end infections, but they did not really capitalise on this information. If a worm could only send out 100 copies a second, but could potentially infect 1% of the total Internet address space, it would saturate the Internet in a matter of minutes, rather than the ongoing efforts that the current worms are engaged in, when the vulnerable targets are probably much more than 1% of the total Internet address space.
Some observers are likening this latest mass worm threat to Windows, and the continued usage of that plaftorm by most users, to the unfortunately named 'Battered Wife Syndrome'. The syndrome is characterised by a person who, subject to ongoing physical and mental abuse from a partner, becomes unable to take independent action to remove themselves from the situation. The victim tends not to seek advice or assistance from others, or even fight back against the abuser, and can even convince themselves that they are the problem. They also believe the statements from their abuser that they (the abuser) have changed, and will not do it again.
The observers that have drawn the parallel with this syndrome point out that Microsoft has abused its monopoly position, generally lied to users about security, and have a long record of security problems which have caused significant losses for end users. They point to the unethical business practices, responsibility-avoiding EULAs, accusations of piracy (and associated audits), and continued promises that 'things will be better, next time' as being ongoing examples of Microsoft's abuse of their situation, while still keeping most of their end users on the Windows Operating System.
Defenders of Microsoft have countered with pointing out the increased efforts being taken by Microsoft with respect to the security of their products.
The online crime of the moment, Identity theft and Internet fraud, has attracted some more attention from the mainstream media. The ABC Four Corners program, broadcast Monday 15 August 2005, briefly investigated the CardSystems 40 million credit card breach, and the disclosure of identity information by sub-contracted IT support staff in India. Regular readers of our online column would have already been aware of these breaches, a number of weeks (and months) ago, when they originally happened. The broadcast of the program has had some wide reaching effects. One of the firms which was identified for selling this information, Nasscom, has claimed that it was set up, and are stating that they will work with Australian law enforcement agencies. The damage control spin being applied by the company includes pointing to the fact that no formal complaints have been filed, and that India is not the only country which is responsible for identity theft breaches. Also following up on an Identity theft issue, an AOL employee who sold 90 million AOL screen names and email addresses and then sold them to spammers, has been jailed for 15 months, and fined $83,000 USD, which is three times what he earned from the sale of the information.
Identity thefts continue to be reported in the United States, with more than 30,000 USAF Officers being notified that they may have had their data compromised following a hacker breaching the Assignment Management System (AMS), which contained a significant amount of personal information. The USAF does not believe that there was any sensitive information stolen, but are notifying the personnel involved as a matter of course. According to the reporting, the breach was the result of a legitimate logon that had been copied. The breach was initially identified between May and June, and an exceedingly high level of activity was noticed in the account that had been compromised, which led to the investigation.
Following news from a couple of weeks ago, when the veracity of the MD5 signature on some speed camera images was called into question during a court case, a paper has been released at the Crypto 2005 conference which details an improved attack against the SHA-1 hashing algorithm implementation. One of the issues that faces hashing algorithms is a phenomenon known as a 'collision'. Because a hashing algorithm creates output of a fixed length (128 bits in the case of MD5), and there are only a finite number of options for each bit, it can be deduced that two different original inputs will exist that will output the same hash when passed through the algorithm. This is known as a collision. Cryptography researchers continually research for improved methods to break and improve existing cryptography functions, and a group of Chinese-led researchers has discovered a method which reduces the theoretical effort required to create a collision of SHA-1 hashes to slightly more than the sixty-third power of two operations. A brute force attack, which basically checks for each and every possible hash that could exist, should take around the eightieth power of two operations to discover. The reduction of almost twenty powers of two in terms of operations for discovering a collision means that an implementation is feasible with modern consumer personal computer power (most likely in a clustered configuration).
According to reporting from The Register, last week, the United Kingdom has brought its Information Technology procurement procedures in line with those in use by the European Union. This move will mean that government tenders can not mandate which processor platform is to be used by contractors in delivering a required outcome. The root of this issue can be taken back to the ongoing litigation between AMD and Intel, where AMD is claiming that Intel has abused its monopoly position to effectively suppress competition. The new acquisition procedures must now use generic technical terms to reference the requirements being sought in government contracts.
There was some crazy news from the United States of America last week. Following a decision to provide students with Dell Laptops, the Henrico Country Schools in Virginia, USA, offered the superseded Apple iBook laptops for sale at $50 USD each. Although they were fairly recent models (12" screen, 500MHz G3), 1,000 laptops were being sold at this price, when the approximate market price is $200 - $300 USD. News of the extreme bargain attracted several thousand interested people, who stampeded when it was quickly obvious that there were more bargain hunters than computers. In the ensuing melee, it was reported that one person was assaulting others with a fold up chair, a lady soiled herself (fear or excitement?), a stroller was crushed, an ankle was broken, people were pushed to the ground, and someone tried to drive through the crowd in a car. Police in riot gear were required to return some semblance of order to the large crowd.
The Coming Storm - 15 August 2005
A broad range of vulnerabilities have been disclosed and patched by Microsoft with their monthly patch release. The impact of the vulnerabilities range from local user privilege escalation (e.g. normal -> admin), through remote Denial of Service, to potentially total compromise of a vulnerable system. Exploits for a number of the issues are already in active circulation, and have been for some time. For detailed description, reference should be made to the applicable security updates from Microsoft. It is strongly recommended that all Windows users update to the latest security patches.
The vulnerabilities are being actively exploited on a wide scale. Although exploits were circulating prior to the patch releases, there has been an explosion in the number of attacks, with the start of the working week in the US expected to be a critical turning point. The Universal Plug and Play vulnerability is expected to become a major exploitation route, with multiple examples of exploits currently circulating.
A number of months ago, Microsoft announced the existence of their Honeymonkey network. Similar to a Honeypot, which is a fake server which is designed to lure malicious attackers to demonstrate their skills, a Honeymonkey is a system which is designed to actively surf a network and monitor for any automated style attacks. According to SecurityFocus, the Microsoft project has already identified nearly 300 sites which launch automated attacks against standard Windows XP systems, including one claimed 'zero-day' exploit. A 'zero-day' exploit is an exploit which has been released without the target software vendor being aware of the vulnerability being exploited. The exploit in question uses the JView vulnerability which was mentioned last month in this column. The JView vulnerability is just one symptom of the underlying COM Object instantiation problem, and the early news notification was suggesting that exploits were in the wild at the time (so it appears that Microsoft missed the boat on this one, again). The vulnerability exploited by the so-called 'zero-day' exploit was fixed in the recent 'Black Tuesday' updates from Microsoft.
News surfaced a little more than a week ago about moves by the US Government, through the FCC, to expand the Communications Assistance to Law Enforcement Act (CALEA). This is apparently being done to ensure that law enforcement agencies will still be able to conduct wiretaps even if alternative communications technology such as VoIP is being used. The practical implementation of the expansion is requiring networking hardware vendors to include a 'backdoor' in all their products, which can allow for access by law enforcement agencies as required. There are significant privacy and security concerns which arise from this expansion of the CALEA. From a security standing, it creates a known weakness in all networking hardware, a weakness which will not remain secret forever. Privacy activists are worried, because the access being granted allows for all the traffic flowing through the hardware to be grabbed (even if the CALEA provisions don't allow it).
Some observers have suggested that it is a slippery slope trying to maintain an effective balance between privacy and oversight. Although it has been said multiple times, the Internet is not a medium for storing or transmitting information that should not be seen by everybody. It is not a suitable place to store confidential information, and users should not expect to maintain confidentiality. Wireless technologies and the rise in broadband connections only makes it more difficult to ensure that adequate trust exists. Assuming that the Internet is anything other than that is a dangerous and naive stance to take, and is what leads to people getting themselves into trouble unintentionally.
One industry which has introduced strict rules in an attempt to enforce a reasonable level of information security is the Medical sector. Laws such as HIPAA are designed to ensure that adequate steps are taken in order to protect client privacy and medical results. Efforts to digitise medical records are fraught with greater risk of information disclosure, although it can expedite the net care delivery, which is the desired outcome. Various Governments in different countries have attempted to implement electronic medical records management, with varying levels of success, such as the OACIS system in South Australia, and the NHS Medical Record System in Britain. The NHS project has been a spectacular failure in terms of money spent, and lack of deliverable results. The Times came out with an article which claims that a large number of end users are becoming demoralised with the system, and that the £6 billion GBP system might be better off being written off. The project is already the most expensive Information Technology project in Britain, and the article claims that there are fears that the total cost of the project could explode to £30 billion GBP over the next 10 years. In a spectacular example of shooting the messenger, the report which prompted the article blamed the disaffected users for the delays in implementing the project.
Another company which has recently been shooting messengers publicly, is Oracle (of course Cisco has done it, too). As a part of their series on Information Security specialists, ZDNet Australia interviewed the Chief Security Officer at Oracle. The resulting article was more of a PR piece than a detailed look at the security practices at Oracle, which makes it like the other articles in the series by lacking real depth of technical information. What did make the article, however, was clear indication that Oracle (amongst other companies) prefers to shoot messengers who are bearing information that they don't want to know about, or admit to. One of the responses by the Oracle CSO appeared to be establishing an 'us and them' approach to security vulnerabilities, denigrating the input from independent security researchers.
When a short lead time is given between vulnerability notification and public release (such as a matter of days), it places software vendors in a bind as they are unable to produce results, even if they throw resources at fixing issues. When the software vendors have had several hundred days to fix reported vulnerabilities, however, their complaints about unethical treatment from the independent researchers wear a little thin, especially if the vulnerabilities remain unfixed.
In the defence of the software vendors, it does become difficult to implement security fixes without breaking other functionality that the application has. This is especially true with any large scale application or product line, where the codebase is immense. As a result, being able to respond in a timely manner with a fix is sometimes near to impossible.
Snake oil is still being sold by the marketers, as the 'unbreakable' databases from Oracle aren't as secure as they are made out to be, and the 'self defending' network hardware from Cisco can't prevent against itself being attacked. If your security is not at a suitable level, then people will tell you about it.
In shorter news, Japanese online music purchasers have recently gained access to a localised iTunes Music Store, and have celebrated the access by purchasing a million tracks within the first four days. Australian online music buyers are still unable to utilise the popular online music store, with rumours suggesting that the holdup has been as a result of music companies holding out for a better deal.
Multiple news agencies were reporting mid last week on the settlement between Microsoft and notorious Spammer, Scott Richter. The settlement is conditional on the lifting of bankruptcy claims by Scott Richter, and his company OptInRealBig.com, along with compliance with extant anti-spam laws, and acceptance of three years oversight of his operations. Notorious as a former 'Spam King', as one of the top 3 global spammers, Richter has since cleaned up his act significantly, recently being removed from a list of Known Spam Operators. The $7 million USD settlement also includes a statement of contrition by Richter.
From Rock to Quicksand - 08 August 2005
Microsoft's termination of mainline support for Windows 2000 might be coming back to bite them. A couple of known flaws with various Windows services could result in the total compromise of Windows systems, including Windows 2000, XP, and 2003. The vulnerabilities have not been publicly identified, but it is only a matter of time until the hacking community discovers and exploits them, or the information leaks from the discovering researchers. Apparently the vulnerabilities reside in a core service of the NT derived Windows OS variants, one which can not be simply turned off. Because Microsoft has terminated mainline support for Windows 2000, this suggests that there will not be any patch or service pack to be released to fix the issue for Windows 2000. Security patches however, will continue to be released, but the initial reporting suggests that a simple security patch is not going to be sufficient. Hopefully this is not the case, as many users have decided to stay with Windows 2000, because it works, and it would cause major problems if a worm as virulent as Blaster managed to exploit these vulnerabilities. The problem with the Blaster and Sasser worms was that they were poorly designed, forcing a local denial of service, when a well designed worm would have resulted in a complete stealth takeover of the PC, which is the big risk with the new vulnerabilities. Paralleling this system flaw is an unpatched vulnerability with the handling of .mdb files (Access files), which can allow for complete compromise of a system. Again, this flaw affects Windows 2000, and later, and Microsoft Access and Office from version 2000, on. This flaw was initially publicly identified in April, and exploit code is beginning to appear on various mailing lists.
Details emerged last week of a set of techniques to capture information that is entered via software keyboards, particularly used in various online banking logins. A software keyboard is a representation of a keyboard that appears on the screen, and users click on the representation of keys that correspond to their password / PIN. They have been designed to overcome keyloggers capturing banking login details as a user enters them from the keyboard. The suggestion is that keyloggers are evolving to introduce these new techniques (which will not be published here), effectively neutralising the protection offered by the software keyboard. Even though these techniques are new, there have already been worms released which have targeted various implementations (such as eGold), but they have not been all that widespread in terms of infection rates.
Researchers in the USA and Japan have recently published papers describing methods that could be implemented to identify and avoid passive network monitoring tools used to track Internet threat emergence. Centres such as the Internet Storm Centre, operated by the SANS Institute, use networks of systems that monitor various Internet addresses, and track the traffic patterns being sent across them. These loose global networks are comprised of machines that have their physical and network locations kept secret, in order to prevent poisoning of results or avoidance of detection. The methods described in the papers suggest that it could take as little as a week for an attacker to determine the location of theses machines, and map out their network. The implications of this are important, as the information gleaned from these networks could be compromised through a number of methods. A rapid-spreading worm could specifically avoid propagation to those addresses, giving the worm more of a time advantage before defences are organised. Conversely, the monitoring network could be flooded with fake data, neutralising the effectiveness at identifying emerging threats, which could then allow a real threat to gain a sustainable foothold before a response can be arranged.
The Cisco vulnerability presentation that was reported on last week continues to cause trouble for various groups. Increased numbers of companies and security firms are getting edgy, while they wait for the malicious hackers to automate an attack against the Cisco IOS Operating System, which runs on most Cisco hardware. The chest beating continues from various people and groups who feel threatened that a threat has emerged which they can do nothing about, and have no idea of what to do, but still feel the need to add their voice to the current cacophony. The responses are an interesting mix of fear, alarm, calmness, irrationality, and level headed-ness, and it has seen reporting of other security vulnerabilities essentially dry up as people rush to investigate the vulnerabilities which could bring the Internet to its knees.
Following on from the vulnerability news, Cisco's main website was announced to have been vulnerable to an SQL injection attack (database control from the webpage), which potentially exposed the entire account database (particularly passwords). Users who held an account with cisco.com were presented with a dialogue advising them that their password had been reset, and would be available to be sent to the email account they had registered from initially. The freeze on the logins caused trouble, as this site is where patches, bug reports, and other support items are available from. It was suggested by some inconvenienced users that whoever compromised the cisco.com passwords could potentially have access to passwords for multiple client systems, such as corporate networks, and cisco.com account holders should start changing their passwords. This last statement is not a failure of Cisco, rather it is a failure of the security policies of the users who maintained similar (or the same) passwords for multiple services.
The requirement for account holders to email from the email address that registered the account has also been proven inadequate. Testing by various testers indicated that spoofed From: and Reply-To: headers would result in a hacker being able to obtain the new password for a Cisco account holder. It has been suggested that more than 3 million accounts were directly affected by this recent breach, which is enough to cause worry amongst many customers.
The latest fad in Internet technology, after the XML RSS that is PodCasting, is VoIP (Voice over IP). Although it has been growing quietly for a while, VoIP is starting to hit the mainstream, but there are problems that all potential VoIP users should be aware of. Because VoIP uses a transport mechanism that is NOT designed for a continuous stream of information, there is risk with loss of information. According to an article at Security Pipeline, as little as a 1% loss of information can start to cause trouble with call integrity, with a 5% loss effectively destroying the usefulness of the transmission. The information packets being used for transmission are designed to survive arriving out of order, which a continuous stream of speech is not able to handle. The other downside listed by the article, which VoIP providers tend to gloss over, is the insecurity inherent in the system. There is no native encryption on the packets, allowing a growing number of tools to eavesdrop on VoIP connections with complete success (without the users being aware of it). Encryption options add a noticeable lag to transmission, which can be unsuitable for a number of users. The technology is also prey to the same flaws affecting routine http traffic (i.e. normal web traffic), of slow networks, Denial of Service attacks, client side malware, and power outages removing service. In a closed system, where integrity can be achieved, VoIP is a viable solution (even though it eats bandwidth), but the technology still has a little way to go before it is ready for prime time usage.
As a followup to the earlier reported breach of up to 40 million credit cards through processing firm, CardSystems, they claimed at the US Congress hearing convened to cover the issue, that it was not their fault that they had been breached, it was the fault of the auditors and consultants that they had brought in to conduct a CISP audit on their systems. Never mind that the audit was 17 months before the breach was initially reported, and there is no indication that the audit was for all systems belonging to CardSystems, and not just the payment processing systems (the breach was from a separate system which had been storing the numbers for later analysis). As was suggested earlier, this is one element of the blame game, as the different parties involved point their fingers in all directions, but at themselves, accepting responsibility for their own actions.
A recent Internet Storm Centre Diary entry gave a disturbing example of just what information might be extractable from a simple Google search on a person. The information that was demonstrated was sufficient to carry out multiple types of fraud, from financial fraud through to complete Identity theft. Even if you are being careful with your online data entry, you should always be cogniscent of the fact that you won't always have control over your personal information that is exposed online. Different Government agencies and bodies may place various records online, with partial information disclosure but they can then be cross referenced with other results to develop a complete picture. Even though this information has always been available, it hasn't always been so readily available (i.e. for free, and to everyone).
On a slightly more fun note, a new record has been sent for highspeed wi-fi connection over distance, at the annual BlackHat DefCon gathering in Las Vegas. The winning team utilised standard wi-fi cards, spare satellite dishes, and a lot of clever thinking to develop a system which could happily sustain an 11 Mbit connection for over 3 hours, over a 125 mile (200 km) range, with an observable lag of 12 ms. The team that achieved the result believe that they can get the distance stretched out to 300 miles, although curvature of the Earth starts to affect transmission capabilities, and the 2.4 GHz wi-fi frequency is not able to bend through the atmosphere too well.
Grab a Coffee and Sit Back - 01 August 2005
The increased paranoia since the London attacks on July 7 is seeing a number of efforts to implement higher levels of monitoring and privacy data access by various Government agencies. One of the programs being implemented is a graphical overlay of security incidents over satellite imagery. The admission that the information might be up to 50 layers deep could prove more hindrance than benefit in the long run, by contributing to the information overload. Recently, the US TSA (Transportation Security Administration) were caught out overstepping their information collection provisions, and then caught out lying about it. The program in question is the successor to the CAPPS system, now known as Secure Flight. While the first two incidents are not related directly to the London attacks, the increased interest in CCTV proliferation and physical searching of travellers is a more direct response.
A new claim, by the same firm that claimed that $200 billion USD in productivity was lost by websurfing at work, is that free web space services are being used to a greater extent to carry spyware, malware and other inappropriate content. While the news from Websense is being widely reported, it does not come as a surprise to security professionals. Any time that a resource is available for free, people will come along and abuse it. At the same time, others who can not afford their own space will use it to distribute their own valid content. Seasoned Internet users will understand how simple it is to obtain free Internet space without requiring any form of identity validation, and they will understand that it is this capability which attracts the seamier side of the Internet.
This highlights a unique property of URLs. As a namespace, they are also a brand space, which allows site visitors to quickly identify the trustworthiness of a site based on the name in the address bar. Unfortunately, this is also open to exploitation, as seen by URL obfuscation attacks and phishing exploits, which appear in the browser as a legitimate URL, with a lot of gibberish attached to the end, but in reality are actually obscured addresses of other sites.
Arising in a discussion which followed the above news was an anecdote which suggests that the lack of trust with these sort of services nearly brought an individual's undoing. While they were applying for a job, they were contacted by someone claiming to be from the recruitment agency and to expedite their application, they could fill out a set of electronic forms. The forms covered some fairly personal details, and the email address did not match up with the recruiting firm. The end result was that the forms were legitimate, but it is an excellent example of a social engineering attack (i.e a con) which would be more likely to succeed than most.
An early controversy from the current DefCon conference in Las Vegas involves rumoured attempts at censorship by Cisco. The researcher in question has resigned their position with a commercial security research company (ISS), in order to present the information about Cisco router vulnerabilities. The content of his presentation, meant to be included in the conference notes, had been physically ripped out of each copy of the notes, and the suspicion is that Cisco applied pressure to ISS and DefCon to prevent the presentation which would publicly damage them. Cisco and ISS went so far as to file a restraining order against the researcher, and DefCon. DefCon is one of the best known hacker conventions held each year, and public announcement of security vulnerabilities in the forum is guaranteed to attract interest from both sides of the Information Security spectrum.
The researcher in question ignored these actions in order to present on how vulnerable Cisco networking equipment was to compromise. But, in order to do this, he submitted his resignation from ISS in order to present as an independent. The vulnerability used to demonstrate the attack had been patched in April, but it was stressed that the attack would succeed against any memory overflow vulnerabilities.
Because Cisco hardware supports a significant percentage of the Internet's infrastructure, the vulnerabilities disclosed at DefCon could have significant, wide ranging effects. Historical weaknesses have largely been only Denial of Service style attacks. The recently announced vulnerabilities are much more serious, allowing the attacker to run code of their choice on the equipment (essentially a total compromise of the hardware). The difference with attacks targeted at network hardware is that attacks directed at computers allow for control of a computer, but attacks directed at network hardware allow for control of the complete network.
The recommendation for operators of Cisco equipment is to continually ensure that they keep their hardware up to date with the latest patches and updates.
The fallout from the announcement of the vulnerabilities has caused deep division in the security community, lining those who believe in Full Disclosure up against everyone else. The release of the information is a perfect example of information wanting to be free. The attempt to suppress the release only made it more desirable for people to get possession of it. It guaranteed that far more attention will now be directed at Cisco products where, before, the content of the presentation might have been lost in the background noise at DefCon.
According to at least one analyst, the information released at DefCon was the result of information previously published on a Chinese site. The advisory released by Cisco supposedly protects against the actual vulnerability that was being investigated at the time (but does not prevent the theory being described from working against other flaws), and is in relation to the IPv6 implementation on their hardware. If router owners have applied the update from April, they will be protected for this one instance of the flaw. IPv6 is the next generation of Internet addressing, and is designed to provide enough address space for all possible devices that could connect to a network / the Internet. The current Internet addressing model, IPv4, is rapidly running out of space for new devices, and it has resulted in the creation of NAT addressing, which allows one public IP, even though numerous other devices are accessing the network from behind it.
Some people are annoyed that Cisco did not announce the fix, instead they 'streamlined' it with the April update. It looks like the spin being applied by Cisco and ISS PR representatives is contradictory. If the techniques described are not critical, as these companies are trying to elaborate, then why are they entering crisis mode in trying to suppress the availability of the information released? Cisco representatives even posted to security mailing lists telling everybody to ignore the document that most had in their possession, and to forget what they had read. This technique doesn't work, as various companies have found, such as Microsoft losing part of their Windows source code (via a third party breach), Cisco having their IOS source code stolen, Valve having the source code to Half-Life 2 stolen, and many other cases. Paranoid people have already suggested that this flaw has long been used for Intelligence agencies and other bodies to surreptitiously tap into traffic of interest, without alerting network managers that anything is out of place.
Microsoft has released to MSDN members the first beta release of their upcoming Windows release. Originally known as Microsoft Longhorn, the renamed version is Microsoft Vista, and also includes the first beta released of Internet Explorer version 7. For web developers and standards advocates, it appears that the rendering engine for Internet Explorer 7 has not been modified from the previous versions. Enhancements that it introduces include tabbed browsing, and a phishing detector.
The early reviews of the releases do little to instill faith in the upcoming products. It appears that IE 7 maintains most of the flaws that bugged web developers from IE 6, and earlier. The tabbed browsing enhancement brings it into line with most current browsers, but the User Interface modification that allows the tabs has caused some confusion and consternation amongst reviewers. The menus (File, Edit, etc) have been removed from the top of the active window to the line just above the rendered page. This places them below the tabs, and below the address bar. Unfortunately, this gives the impression that the menus are specific to those tabs, when they are application-wide. This is a major problem from a UI perspective, and will only cause confusion from less-experienced users. At least it is only the first beta, so there is some hope that these issues will be resolved prior to the final release.
The phishing filter is also a concern for security minded reviewers. The filter works by reporting the website address being viewed back to Microsoft, which then compares it against a list of known bad sites, before reporting whether it is a phishing site. The downside is that there needs to be a certain number of users who succumb to the phish before the Microsoft solution will be able to identify the site to others. This requires an extra set of connections for each website being visited, slowing down the user experience, and has the ability for Microsoft to identify an IP address and browsing habits even closer than any Internet marketing firm or spyware. The other concern from this is that phishers rarely establish dedicated domains for their efforts, preferring to use hacked sites, compromised cable or business systems, or elements of their bot networks. The blacklist established by Microsoft will have the same potential for abuse which spam blacklists have, and it will be more effective at trapping legitimate sites than phishing sites.
In an effort to slow down the spate of illegal network connections via unsecured wireless hotspots, people are beginning to be charged for accessing them without the express permission of the network owners. While using network bandwidth and resources without permission may be morally reprehensible, and laws exist which dictate penalties for such access, the rapidly changing nature of small scale networks, and laptop Internet connection technology is a threat to these laws. The rapid increase in people connecting to networks, in particular the Internet, who are not particularly Information Technology savvy has created a strange void where a user may be unknowingly connecting to a wireless access point that another person has unknowingly left unsecured.
For people who actively seek out unsecured networks, increasing the size of their receiving antenna helps them to pick up weak signals, such as might arrive in a carpark after being attenuated by the walls of a building, or it allows them to access networks at a range much longer than normal. One of the most common, and cheapest techniques for increasing the size of an antenna is to use a "Pringles" can. The obvious advantages of this approach is that they are commonly available, cheap, and people carrying them do not draw too much attention, at least until now. A representative of the Sacramento Sheriff's Departmen Sacramento Valley Hi-Tech Crimes Task Force stated that "They're[Pringle can antennas] unsophisticated but reliable, and it's illegal to possess them" (later reporting suggests that this is a mis-quote and the officer was not inferring that it was illegal to own or use them, but they should be - by treating them like burgling tools which are illegal to possess). While this statement appears counter-intuitive, it actually relates back to use of the electromagnetic spectrum for transmission of data.
With most wireless Internet access operating on the 2.4 GHz band (the same as your microwave), there are strict rules and compliance required to operate a transmission station. Modification to an approved device will render the device non-approved (as per section 15 of the FCC rules), and it should then cease to be used for transmission purposes. The other aspect is illegal network usage and resource consumption, as covered by a number of anti-hacking and computer misuse laws. However, given that most antenna modifications are homebuilt, another section of the FCC rules (15.23) appears to allow the use of them, provided that basic restrictions are followed.
TippingPoint, a subsidiary of 3Com, has announced that they will be buying vulnerabilities from security researchers, in an effort to stop them from publicly releasing security vulnerabilities which can be turned into active exploits by hackers. Various security lists have debated the ethics and morals behind such an idea, and how it can introduce unwanted liability for the purchasing party. With payment for vulnerabilities, it forces researchers, who want to get paid, to lose their anonymity. Quite a number of independent researchers have had poor working relations with the major software vendors, and are likely to balk at the suggestion that they hand over their hard work for someone else to work with, knowing that the software vendors will know who they are. Because of the perceived bad treatment, quite a number of security researchers have developed a strong desire to be a thorn in the side of some software vendors, either out of spite, or as an attempt to force them to acknowledge their software flaws, and improve upon them. Anecdotal evidence suggests that this is not the first time that 3Com has taken to paying for vulnerability reports. A number of other companies also offer bounties to internal teams for discovering bugs in flagship products.
The oft-repeated reason for implementing a plan like this is that if someone is capable of breaking in to your systems, then you would be better off paying them to keep your systems safe from other hackers (and themselves). The drawback to this approach is that it is essentially a willing form of 'protection money', or legalised extortion, and only lasts until the next hacker with a chip on their shoulder comes along and breaks in. Historically, this was known as 'Danegeld' in the British Isles - the protection money payed to the Vikings to get them to stay away.
The idea of paying researchers for newly discovered vulnerabilities has opened a proverbial can of worms amongst security minded individuals, with a fair mix of individuals arguing vehemently for both sides of the argument - that such actions are, and aren't, ethically and morally permissible.
Some have come out to say that the vast majority of security fixes amount to a single character in a single line of code being changed. They then go on to argue that the delay in creating and distributing these fixes causes problems as ethically bound security researchers run out of patience for an official move from the vendor.
The intentions of the company that is going to pay for the vulnerabilities has been called into question. Their main commercial product is an IPS, an Intrusion Protection System. The company would stand to gain significantly from suppressing announcement of vulnerabilities reported to them. By sharing this privileged information with their customers, protecting them against the exploits for that particular vulnerability, it gains them more value for the longer periods that they can extend the time before public announcement.
Finally, in Russia it appears that some people have finally had it with Spam in their email . The Russian spammer responsible for the most Russian spam, Vardan Kushnir, was found beaten to death in his Moscow apartment at the start of last week. Vardan was responsible for spamming almost every Russian email address with spam for his English learning centres, 'The Centre for American English', 'The New York English Centre', and 'The Centre for Spoken English'. It is estimated that more than 200 million emails were sent out for these centres. A number of observers have opined that it is impossible to annoy so many people and not expect some sort of retribution once you get discovered, even if that retribution was, itself, illegal.
Rumours are surfacing that the spammer's death was the responsibility of the Russian Mafia, and that, due to his profile in the spamming business, he was killed because of some indiscretion. The Russian Mafia appears to be the leading organised crime body which is utilising modern technology as a part of their crime activities. Distributed Denial of Service attacks are threatened against online casinos or other high cashflow online entities, spam is sent for profit, worms and viruses are created and distributed to obtain machines for zombie networks, and to leak personal financial data, phishing takes place to gain access to banking accounts online, and an ability to drain them at will.